Limiting scope of openVPN access
-
Just use a large enough subnet to accommodate your users * 4. So in your case, ~512*4=2048 IPs, So a /21 or a /20's worth of IPs in any of the private blocks would work.
-
Hi,
I noticed some problems with "Client Specific overrides".
I am using an OpenVPN Server with Tunnel Network 10.0.1.0/24
I tried with Client specific override tunnel network of 10.0.2.120/30
The Client could connect to the server but got no access. Thats ok, because of the wrong subnet.
Ok, I then deleted the complete client specific override for this clien/CN, restarted the OpenVPN Server but the client still got the IP of the 10.0.2.120/30 subnet.I created again an client specific override for this client/CN and didn't choose any tunnel network (so it used the servers default) and then it conneted fine and got an IP of the 10.0.1.0/24 subnet.
Did I something wrong ?!
-
Yes, the static IPs for overrides must be within the tunnel network.
-
Yes, the static IPs for overrides must be within the tunnel network.
Yes, I wrote that in my previous post I think.
What I want so say is:
If I create an override for a client the override is working.
If I delete the override completely, than the override still exists. -
You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.
-
You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.
Thanks. Good to know that but I restarted the OpenVPN Server after I did any changes.
โ-- EDIT ----
I tested it again:
Restarting OpenVPN Server
OpenVPN-Server Tunnel Network is: 10.0.1.0/24
Client Specific Override Tunnel Network: 10.0.1.180/30
Restarting OpenVPN Server
Connecting Client
This is working. Clients IP is after connecting to the server: 10.0.1.181/30
Disconnecting client
Deleting Client specific override
Restarting server
Connecting Client
This is working. Client IP is still 10.0.1.181/30I attached some screenshots.
-
Does the file for that cn still exist in /var/etc/openvpn-csc?
-
Yes ist does exist:
ifconfig-push 10.0.1.181 10.0.1.182 -
I just pushed a fix, should be in new snaps soon
-
Hi,
it is working now for me now as expected.
I am using 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011Thanks jimp!
